Mercurial > hg > freeDiameter
changeset 1403:6a35c5470ef4
Security fix: check invalid incoming data
author | Sebastien Decugis <sdecugis@freediameter.net> |
---|---|
date | Tue, 07 Jul 2020 01:24:48 +0800 |
parents | d1827bc3cf90 |
children | 19ab8ac08a36 |
files | libfdproto/messages.c |
diffstat | 1 files changed, 12 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/libfdproto/messages.c Tue Dec 10 00:53:45 2019 +0800 +++ b/libfdproto/messages.c Tue Jul 07 01:24:48 2020 +0800 @@ -1946,6 +1946,14 @@ offset += 4; } + /* Check the length is valid */ + if ( avp->avp_public.avp_len < GETAVPHDRSZ(avp->avp_public.avp_flags) ) { + TRACE_DEBUG(INFO, "Invalid AVP size %d", + avp->avp_public.avp_len); + free(avp); + return EBADMSG; + } + /* Check there is enough remaining data in the buffer */ if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags)) && (buflen - offset < avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags))) { @@ -1992,6 +2000,10 @@ TRACE_DEBUG(INFO, "Truncated message (%zd / %d)", buflen, msglen ); return EBADMSG; } + if ( msglen < GETMSGHDRSZ() ) { + TRACE_DEBUG(INFO, "Invalid message length (%d)", msglen ); + return EBADMSG; + } /* Create a new object */ CHECK_MALLOC( new = malloc (sizeof(struct msg)) );